Guys I am doing a data center migration. I will be MIA as I have been for the next few weeks. If I get time I will post some IT ramblings soon.
SB
My car was broken into last night. Every single loose coin was stolen in my car. My LED flashlight was also stolen. A few nice items in the car were not taken which was a relief. Also, every document in my glove compartment was examined. The documents stacked in a strangely neat pile on my passenger side seat.
This event has a lot of similarities to IT security. I’ll draw a few comparisons and then I ask you to leave me comments so we can open up some dialog.
Low Hanging Fruit
From the outside of my car the only visible items that were able to be seen was the change. Now even though I didn’t value this change as anything important, the thief did, and risked the crime of entering my car to retrieve it. I think as IT security experts we need to remember that certain things we attribute to being low value might be high value for someone else. The act of obtaining an item we attribute to being low value might cause the compromise of something that is high value. In the car example, if I had an Ipod stashed away, they could have stolen that. The Ipod itself may have been hidden well, but the money was not. In that case, the low hanging fruit I left out allowed for the intruder to reach more valuable goods. For this reason we need to make sure we correctly value our internal assets and do the best at securing things we don’t see as being that valuable enough to prevent further privileged escalation.
More than just necessity
Why were my papers organized so nicely. The intruder only took change but he or she meticulously went through every single item in my car, determining it’s value. Due to the number of items in my car/glove-box I can’t be certain that the user didn’t take something of value. Even though some nice items weren’t taken, a more hidden or not obvious item may have been taken. This makes me think about inventory management, and file integrity monitoring. This is very important as an inventory is really the only insight into where/what/how your data is organized.
Silent Entrance
The window was not broken. And in all honesty, if they put the documents back in the glove compartment I would have not known a thief was in the car until I looked at my change cup. This got me thinking about the importance of IDS and anomaly detection. If a theft occurs and you have no way of detecting it, this could be detrimental to your company. I think more SMB need to consider this even if their IT infrastructures are small. The amount of extra money and hardware to implement solid IDS systems is by far less expensive than a silent theft of trade secrets or software code.
AUTOMATE!
I am going through this tutorial and I am very impressed by the quality of this documentation.
http://www.offensive-security.com/metasploit-unleashed/
It got me to think about creating my own personal documentation in such a robust way that any user with enough experience could flawlessly execute what I am documenting. I think that this style of documentation (how-to) would be especially effective on projects that are highly specialized and not frequently used. Many of the documents I create these days follow the how-to format, but my documentation leaves out some of the background and reasons for doing the configuration steps. My initial thought on this omission is the people reading my documents would just want the quick and straightforward route to the answer. I see now that this is effective for some types of configurations, but others require more intimate descriptions to really stick out.
I think going forward I will be focusing on providing even more robust How-to’s on the site and also include more back-story which will provided everyone with a more intimate understanding of the task we are trying to accomplish.
SB
You are as old as you think you are. The minute you start to tell yourself you are old, you become old. Stay young by believing in yourself, your motivation, and your desire to live long without sacrifice.
SB
I can say that it’s not a case of the Mondays. I can also say that it isn’t because I am busy playing Starcraft or I am being lazy. It’s something every security or network admin can relate to.
Mondays are always filled with a surplus of issues. People hold of asking questions on Weekends, things silently fail when people aren’t around. You get the drift.
I’ve tried many preemptive techniques to battle this. This requires working a few hours on Sunday, coming in early on Monday, etc. Still…when 9am rolls around things get crazy.
Did a few stats on trouble tickets in Basecamp today. Found out that we get on average 22% more support requests on Mondays than any other day of the week.
That is why I do not post, I have no time!
SB
I was listening to NPR this morning and someone was intermediately using data and information. These are two separate terms and it’s beneficial to really understand the difference between them.
Data is facts or descriptions of facts. That is it!
Information is data plus meaning. There is something there with information, it might not be organized yet but it’s there!
Knowledge is information plus context. This context can convey understanding.
S.B.
I’ll make this post short and sweet. Go LDAP! I am not liking a lot of things about running windbind/kerberos. For one, its ugly!
User accounts look like this:
DOMAIN+bob
I added a default domain to my /etc/samba/smb.conf file:
[code] winbind use default domain = true [/code]
Now user accounts look like this:
bob
Okay that is nice, but what about UID/GID?
id bsus
uid=10173(bsus) gid=10000(domain users) groups=10000(domain users),10003,10004,10001(domain admins),10006(BUILTIN+users),10005(BUILTIN+administrators)
I’m starting to dislike this, its messy. With LDAP+AD it just feels smoother. More to come…Gotta jet to a meeting.
In this how-to, I will show you how to take your Linux box, export a share, and modify its contents using Windows.
Background
I was asked to export some data from a host which has connectivity to an iSCSI LUN. Since the Windows hosts don’t have connectivity to the iSCSI LUN , the Linux box will export this share via NFS and use Samba/Kerberos to allow windows users to see it.
Caveats
When you are on Linux and you look at the files created via windows, you see the user name like this:
DOMAIN+bob
If you currently aren’t using Samba/Kerberos authentication on your Linux box for user accounts, then this is a reasonable problem. Your Windows users need to have authentication/access to the Linux box. This can be configured using Pam.d/nsswitch.conf and a few more tweaks.
I am going to skip this, and assume that you only really care about exporting the share, and allowing Windows users to use there accounts to write/read files. I will have a subsequent post that explains how to setup winbind/samba to do your authentication.
Steps
server# yum -y install samba-client krb5-workstation.x86_64
modify /etc/hosts and add the following:
xxx.xxx.xxx.xxx adserver.domain adserver
modify /etc/krb.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog
[libdefaults]
ticket_lifetime = 24000
default_realm = MATCAP.NET
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.NET = {
kdc = adserver.domain.net:88
kdc = adserver2.domain.net:88
kdc = adserver3.domain.net:88
admin_server = adserver.domain.net:749
default_domain = domain.net
}
[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Next run:
server# kinit administrator@DOMAIN.NET
Make sure you can authenticate
Edit /etc/smb.conf
[global]
netbios name = mylinuxbox
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = DOMAIN
os level = 20
winbind enum groups = yes
# socket address = 10.10.1.88
password server = *
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba/log.%m
encrypt passwords = yes
dns proxy = no
realm = DOMAIN.NET
security = ADS
wins server = 10.10.1.88
wins proxy = no
[nas]
comment = a comment
path = /nas
browseable = yes
writeable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"DOMAIN.NET+Domain Users"
admin users = @"DOMAIN.NET+Domain Admins"
Run the following
server# service smb start
server# net ads join -U Administrator
modify /etc/nsswitch.conf
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
server# winbindd
server# echo “/usr/bin/winbindd” »/etc/rc.local
server# chkconfig smb on
server# wbinfo -u
Commands to run to check stuff:
getent passwd
Should show you the passwd files for AD
kinit administrator@MATCAP.NET
should prompt you for a password and return you to command line
net ads join -U Administrator
Need to run this to join to the domain, enter your pw
edit /etc/exports
/nas *(rw,sync)
You can put whatever you like in your exports just like you normally would.
Seems to me to be a huge iPod Touch.